Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FAST] TLS inspection support for NGFW Enterprise #2484

Merged
merged 20 commits into from
Aug 30, 2024
Merged
6 changes: 4 additions & 2 deletions fast/stage-links.sh
Original file line number Diff line number Diff line change
Expand Up @@ -109,13 +109,15 @@ case $STAGE_NAME in
PROVIDER="providers/3-network-security-providers.tf"
TFVARS="tfvars/0-bootstrap.auto.tfvars.json
tfvars/1-resman.auto.tfvars.json
tfvars/2-networking.auto.tfvars.json"
tfvars/2-networking.auto.tfvars.json
tfvars/2-security.auto.tfvars.json"
else
unset GLOBALS
PROVIDER="tenants/$TENANT/providers/3-network-security-providers.tf"
TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json
tenants/$TENANT/tfvars/1-resman.auto.tfvars.json
tenants/$TENANT/tfvars/2-networking.auto.tfvars.json"
tenants/$TENANT/tfvars/2-networking.auto.tfvars.json
tenants/$TENANT/tfvars/2-security.auto.tfvars.json"
fi
;;
*)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,8 @@ includedPermissions:
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.update
- networksecurity.securityProfiles.use
- networksecurity.tlsInspectionPolicies.create
LucaPrete marked this conversation as resolved.
Show resolved Hide resolved
- networksecurity.tlsInspectionPolicies.get
- networksecurity.tlsInspectionPolicies.list
- networksecurity.tlsInspectionPolicies.update
- networksecurity.tlsInspectionPolicies.use
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,6 @@ includedPermissions:
- networksecurity.securityProfiles.get
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.use
- networksecurity.tlsInspectionPolicies.get
- networksecurity.tlsInspectionPolicies.list
- networksecurity.tlsInspectionPolicies.use
2 changes: 1 addition & 1 deletion fast/stages/0-bootstrap/organization.tf
Original file line number Diff line number Diff line change
Expand Up @@ -181,14 +181,14 @@ module "organization" {
"roles/accesscontextmanager.policyAdmin",
"roles/cloudasset.viewer",
"roles/compute.orgFirewallPolicyAdmin",
"roles/compute.orgFirewallPolicyUser",
"roles/compute.xpnAdmin",
"roles/orgpolicy.policyAdmin",
"roles/orgpolicy.policyViewer",
"roles/resourcemanager.organizationViewer"
]))
, join(",", formatlist("'%s'", [
module.organization.custom_role_id["network_firewall_policies_admin"],
module.organization.custom_role_id["network_firewall_policies_viewer"],
module.organization.custom_role_id["ngfw_enterprise_admin"],
module.organization.custom_role_id["ngfw_enterprise_viewer"],
module.organization.custom_role_id["service_project_network_admin"],
Expand Down
2 changes: 1 addition & 1 deletion fast/stages/1-resman/branch-networking.tf
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ locals {
(var.custom_roles["network_firewall_policies_admin"]) = [
try(module.branch-nsec-sa[0].iam_email, null)
]
(var.custom_roles["network_firewall_policies_viewer"]) = [
"roles/compute.orgFirewallPolicyUser" = [
try(module.branch-nsec-r-sa[0].iam_email, null)
]
}
Expand Down
18 changes: 18 additions & 0 deletions fast/stages/1-resman/branch-security.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,24 @@ module "branch-security-folder" {
]
}
iam = local._security_folder_iam
iam_bindings = {
tenant_iam_admin_conditional = {
members = [
module.branch-security-sa.iam_email,
]
role = "roles/resourcemanager.folderIamAdmin"
condition = {
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'", [
"roles/privateca.certificateManager"
]))
)
title = "security_sa_delegated_grants"
description = "Certificate Authority Service delegated grants."
}
}
}
tag_bindings = {
context = try(
local.tag_values["${var.tag_names.context}/security"].id, null
Expand Down
2 changes: 1 addition & 1 deletion fast/stages/1-resman/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ locals {
member = module.branch-nsec-sa[0].iam_email
role = local.custom_roles["ngfw_enterprise_admin"],
}
sa_net_nsec_r_fw_policy_admin = {
sa_net_nsec_r_fw_policy_user = {
member = module.branch-nsec-sa[0].iam_email
role = "roles/compute.orgFirewallPolicyUser"
}
Expand Down
126 changes: 116 additions & 10 deletions fast/stages/2-security/README.md

Large diffs are not rendered by default.

86 changes: 85 additions & 1 deletion fast/stages/2-security/core-dev.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -15,6 +15,18 @@
*/

locals {
# Extract NGFW locations from dev CAS
ngfw_dev_locations = toset([
for k, v in var.cas_configs.dev
: v.location
if contains(var.ngfw_tls_configs.keys.dev.cas, k)
])
ngfw_dev_sa_agent_cas_iam_bindings_additive = {
nsec_dev_agent_sa_binding = {
member = module.dev-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
dev_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-dev,
Expand Down Expand Up @@ -54,3 +66,75 @@ module "dev-sec-kms" {
}
keys = local.kms_locations_keys[each.key]
}

module "dev-cas" {
for_each = var.cas_configs.dev
source = "../../../modules/certificate-authority-service"
project_id = module.dev-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = (
contains(var.ngfw_tls_configs.keys.dev.cas, each.key)
? merge(local.ngfw_dev_sa_agent_cas_iam_bindings_additive, each.value.iam_bindings_additive)
: each.value.iam_bindings_additive
)
iam_by_principals = each.value.iam_by_principals
location = each.value.location
}

resource "google_certificate_manager_trust_config" "dev_trust_configs" {
for_each = var.trust_configs.dev
name = each.key
project = module.dev-sec-project.project_id
description = each.value.description
location = each.value.location

dynamic "allowlisted_certificates" {
for_each = each.value.allowlisted_certificates
content {
pem_certificate = file(allowlisted_certificates.value)
}
}

dynamic "trust_stores" {
for_each = each.value.trust_stores
content {
dynamic "intermediate_cas" {
for_each = trust_stores.value.intermediate_cas
content {
pem_certificate = file(intermediate_cas.value)
}
}
dynamic "trust_anchors" {
for_each = trust_stores.value.trust_anchors
content {
pem_certificate = file(trust_anchors.value)
}
}
}
}
}

resource "google_network_security_tls_inspection_policy" "ngfw_dev_tls_ips" {
for_each = (
var.ngfw_tls_configs.tls_inspection.enabled
? local.ngfw_dev_locations : toset([])
)
name = "${var.prefix}-dev-tls-ip-0"
project = module.dev-sec-project.project_id
location = each.key
ca_pool = try([
for k, v in module.dev-cas
: v.ca_pool_id
if v.ca_pool.location == each.key && contains(var.ngfw_tls_configs.keys.dev.cas, k)
][0], null)
exclude_public_ca_set = var.ngfw_tls_configs.tls_inspection.exclude_public_ca_set
min_tls_version = var.ngfw_tls_configs.tls_inspection.min_tls_version
trust_config = try([
for k, v in google_certificate_manager_trust_config.dev_trust_configs
: v.id
if v.location == each.key
][0], null)
}
87 changes: 86 additions & 1 deletion fast/stages/2-security/core-prod.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -15,6 +15,18 @@
*/

locals {
# Extract NGFW locations from prod CAS
ngfw_prod_locations = toset([
for k, v in var.cas_configs.prod
: v.location
if contains(var.ngfw_tls_configs.keys.prod.cas, k)
])
ngfw_prod_sa_agent_cas_iam_bindings_additive = {
nsec_prod_agent_sa_binding = {
member = module.prod-sec-project.service_agents["networksecurity"].iam_email
role = "roles/privateca.certificateManager"
}
}
prod_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-prod,
Expand Down Expand Up @@ -53,3 +65,76 @@ module "prod-sec-kms" {
}
keys = local.kms_locations_keys[each.key]
}

module "prod-cas" {
for_each = var.cas_configs.prod
source = "../../../modules/certificate-authority-service"
project_id = module.prod-sec-project.project_id
ca_configs = each.value.ca_configs
ca_pool_config = each.value.ca_pool_config
iam = each.value.iam
iam_bindings = each.value.iam_bindings
iam_bindings_additive = (
contains(var.ngfw_tls_configs.keys.prod.cas, each.key)
? merge(local.ngfw_prod_sa_agent_cas_iam_bindings_additive, each.value.iam_bindings_additive)
: each.value.iam_bindings_additive
)
iam_by_principals = each.value.iam_by_principals
location = each.value.location
}

resource "google_certificate_manager_trust_config" "prod_trust_configs" {
for_each = var.trust_configs.prod
name = each.key
project = module.prod-sec-project.project_id
description = each.value.description
location = each.value.location

dynamic "allowlisted_certificates" {
for_each = each.value.allowlisted_certificates
content {
pem_certificate = file(allowlisted_certificates.value)
}
}

dynamic "trust_stores" {
for_each = each.value.trust_stores
content {
dynamic "intermediate_cas" {
for_each = trust_stores.value.intermediate_cas
content {
pem_certificate = file(intermediate_cas.value)
}
}
dynamic "trust_anchors" {
for_each = trust_stores.value.trust_anchors
content {
pem_certificate = file(trust_anchors.value)
}
}
}
}
}

resource "google_network_security_tls_inspection_policy" "ngfw_prod_tls_ips" {
for_each = (
var.ngfw_tls_configs.tls_inspection.enabled
? local.ngfw_prod_locations : toset([])
)
name = "${var.prefix}-prod-tls-ip-0"
project = module.prod-sec-project.project_id
location = each.key
ca_pool = try([
for k, v in module.prod-cas
: v.ca_pool_id
if v.ca_pool.location == each.key && contains(var.ngfw_tls_configs.keys.prod.cas, k)
][0], null)
exclude_public_ca_set = var.ngfw_tls_configs.tls_inspection.exclude_public_ca_set
min_tls_version = var.ngfw_tls_configs.tls_inspection.min_tls_version
trust_config = try([
for k, v in google_certificate_manager_trust_config.prod_trust_configs
: v.id
if v.location == each.key
][0], null)
}

Binary file modified fast/stages/2-security/diagram.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
7 changes: 5 additions & 2 deletions fast/stages/2-security/main.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -33,7 +33,6 @@ locals {
)
}
}

# list of locations with keys
kms_locations = distinct(flatten([
for k, v in var.kms_keys : v.locations
Expand All @@ -48,7 +47,11 @@ locals {
}
}
project_services = [
"certificatemanager.googleapis.com",
"cloudkms.googleapis.com",
"networkmanagement.googleapis.com",
LucaPrete marked this conversation as resolved.
Show resolved Hide resolved
"networksecurity.googleapis.com",
"privateca.googleapis.com",
"secretmanager.googleapis.com",
"stackdriver.googleapis.com"
]
Expand Down
Loading